github docker/sbx-releases v0.35.0-rc1

pre-release3 hours ago

Highlights

This release revamps policy tooling with a concise sbx policy ls, a new sbx policy inspect, and a sbx policy check network command for testing whether the current policy would allow an access request before you run.
Networking gains a SOCKS5 upstream-proxy transport using DOCKER_SANDBOXES_PROXY.
Secrets get a new sbx secret import with clearer env-source visibility.

What's New

Networking & Proxy

  • The sandbox proxy can chain upstream egress through a SOCKS5 proxy (socks5:// / socks5h://, with optional auth) via DOCKER_SANDBOXES_PROXY, HTTP_PROXY, or HTTPS_PROXY.
  • Add DOCKER_SANDBOXES_NO_PROXY to exclude destinations from DOCKER_SANDBOXES_PROXY, using standard NO_PROXY matching semantics.
  • Droid OAuth credentials are now proxy-managed: real tokens stay on the host and never land in the sandbox.
  • Faster sandbox startup: the TLS-proxy CA is installed by merging into the trust bundle instead of running update-ca-certificates, saving several hundred milliseconds.

Policy

  • Simplify sbx policy ls and add --wide, --source, and --decision filters
  • Add sbx policy check to test whether the current policy would allow an access request
  • Balanced network preset now allows VS Code domains, Azure Blob Storage (*.blob.core.windows.net), and dhi.io over HTTP.

Kits

  • sbx kit add now recreates the sandbox container with the augmented kit set instead of injecting at runtime. State is preserved with the re-creation.
  • sbx kit add applies the added kit's network allow/deny rules and composed policy on the running sandbox.
  • Re-attaching to a sandbox created from a custom --kit agent now works with sbx run --name <name> without re-passing --kit.
  • Kits can inject the user's Docker login token into requests to docker.com hosts via a credential with service sbx-login.

CLI

  • sbx rm now won't delete an active session unless --force is passed.
  • sbx inspect now lists the sandbox's kits, injected secrets, and sandbox information.
  • Added sbx daemon command (start, stop, status, log-level)

Secrets

  • sbx secret import imports credential env vars into the keychain; sbx secret ls flags env-only and OAuth-shadowed entries. Host env vars no longer auto-inject at runtime — use sbx secret import to migrate.

Runtime & images

  • Enable virtiofs caching by default on all operating systems by default for faster filesystem performance (DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0 to opt out).

Bug Fixes

  • Fix "container not found" errors when copying files with sbx cp on a sandbox that has had a kit added.
  • Enforce the one-credential-per-service rule on credential capture paths so a stale API key no longer shadows a newly captured credential.
  • Fix sbx login failing with "The specified item already exists in the keychain" when signing back into a previously used account; logout now clears all stored Docker credentials.
  • Restarted sandboxes keep GitHub access by rehydrating the stored github credential on daemon restart.
  • Fix a custom kit clearing the proxy's built-in GitHub auth header mapping for the whole daemon until a restart.
  • Tunnel plain-HTTP forward traffic (e.g. apt, port 80) via CONNECT when the upstream proxy only supports CONNECT.
  • Sandbox egress through an upstream proxy identifies as sbx-proxy on the CONNECT handshake.
  • Fix IPv6 policy allow rules using bracket notation (e.g. [fdcb::1]:22) not matching.
  • Fix sbx connecting to the wrong Docker daemon when DOCKER_HOST is set in the environment.
  • Serialize Docker Hub token refresh across the CLI and daemon so sign-in sessions aren't unexpectedly lost.

Platform support

  • Block installation on Windows versions older than Windows 11 (the only currently supported version).

Don't miss a new sbx-releases release

NewReleases is sending notifications on new releases.